OAuth2 with Multiple Emails

Crashdown

With the release of 1.17 I have been testing OAuth2 in a separate install with our Microsoft 365 account to make sure it works before doing the upgrade in our production environment. Following the directions was very easy and worked right away. I do not have any issues and it works as expected so far but I had a few questions I could not find answered in the documentation or on the forums.

We have multiple departments and multiple department emails. Is it best to setup a separate App Registration in Azure for each separate email or to use the one created and reuse that same app registration for all department emails? I have tested already reusing and it still works but I do not know if that is the best practice or if that would cause issues I am not seeing yet.

I noticed in the directions that in the last step as you sign into the email account the option to "Consent on behalf of your organization" will not be there unless signing in with Global Admin account which we would not use for a helpdesk email. We use unlicensed Shared Mailboxes and have been for years without issue. For each new mail account we are prompted for that access but so far I have not noticed any issues with not consenting just accepting each time. I assume then we only need to consent once and not again in the future?

Thank you

tuxsub

I had the same setup pre-oAuth - one licensed user accessing multiple shared mailboxes, using the / notation on the username field.

Couldn't get this to work with oAuth, ended up converting shared mailboxes to user mailboxes, applied an Exchange P1 license to each, enabled the tenant level setting "allow user consent for apps" temporarily, then used the same app registration for each mailbox in the tenant. So far so good. I obviously needed another app registration for mailboxes not in the primary tenant.

Would be great if the oAuth plugin supported other "prompt" params other than "consent", avoiding the need to toggle tenant level configuration where an admin has already consented - think I saw a forum post about this param becoming configurable in the future though!

Crashdown

tuxsub Our shared mailboxes use is slightly different in we do not license any of them for the helpdesk. Created separate Shared Mailboxes for each email. Once a Shared Mailbox is created, we would give it a password in the active users section as it needed to authenticate using IMAP previously, making sure the password does not expire. Seems we will need to do the same, giving the Shared Mailbox a password since during the OAuth2 setup that account needs to sign in although the password expiration does not seem important this time since it no longer uses passwords.

tuxsub

Crashdown
My shared mailboxes were unlicensed before today too, the P1 plan isn't too expensive fortunately.

I did also have to assign passwords and go through the MFA enrollment (required by conditional access) for these users.